Cybersecurity: Why aren't we getting any better at it?
By Laura Haight
Here we go again. It’s October and that means it is National Cybersecurity Month.
The purpose of National Cybersecurity Month is to educate individuals and businesses on the threats and risks of hacking, cracking and computer-based fraud like phishing and whaling. And to provide actionable steps users and businesses can take to protect themselves and their clients. For the fourth year, my company - Portfolio - is proud to be a Champion in this endeavor.
I’d like to be able to report that the increased awareness of the past 15 years since this campaign started had reduced the number of incidents and their seriousness. But the opposite is true.
The Big Picture
According to a Chief Security Officer magazine review of industry experts:
The cost of cybercrime damage is expected to hit $6 billion globally by 2021. That’s up from $3.5 trillion in 2015.
Ransomware, which we hardly even knew about in 2015, is projected to hit $11.5 billion in 2019.
In 2019, one business will be hit by ransomware every 14 seconds.
Verizon’s annual Global Data Breach report has been produced for 11 years. The 2018 report, based on 2017 data, paints an increasingly depressing picture. Based on a review of 53,308 incidents, the report finds:
17 percent of breaches happen because of an error: unpatched systems, unprotected confidential data, misconfigured web servers.
4 percent of all employees will click on a phishing email every time.
Among private sectors, Healthcare, is the biggest target and growing. Although the vast majority of cybercrime have financial gain as the goal, Healthcare institutions and providers are a bigger target than financial institutions. In public sectors, public infrastructure is the most frequent target.
And don’t think this is a big-business problem: In 2017, 60 percent of all attacks were perpetrated on small businesses. Your small business is a primary target now because you most likely have few cybersecurity protections. You may be targeted for ransomware or as a stepping stone to bigger fish through your partnerships, vendors, and connections. Or both.
Why aren’t we making headway?
I think there are three reasons.
We put too much faith in others to protect us - security within the apps we use, safety of the services we connect to (like Facebook?).
We feel helpless when we see huge companies like Equifax, SONY, Facebook get hacked. What can we do that these behemoths cannot?
We don’t hear about this all around us. Greenville is not so special that the same metrics would not apply. But we don’t hear about it happening, we don’t talk about it at cocktail parties and business gatherings, we don’t post on social media about it. I think the picture might be different if more businesses came forward and admitted they’d been hacked.
If we aren’t helpless, what can a small business do?
While these steps will not guarantee that you don’t get hacked, they will go a long way to protecting you, your customers, and your company.
Vendors. A large number of breaches happen when a vendor is hacked. The sensitive information of 665,000 Bon Secours patients was breached in 2016 when a vendor left them exposed during a system upgrade. Your mom and mine probably used to tell you: If you lay down with dogs, you get up with fleas. Make sure your vendors are protecting your information. Thorough and focused vetting of their security protocols is critical.
Limit access. Give employees the lowest access possible necessary to do their jobs. Be diligent about reviewing employee and vendor access each quarter.
Patching. How did Equifax lose 145 million Americans’ data? By not patching their servers, even when they were warned they were a target and told there was a fix. Patching can range from relatively simple to very complicated depending on the technology systems in your company. But not patching is like walking out of your house in the morning and leaving the door wide open with a sign: “No one home!” Not an option.
Encrypt email and data. Use the hackers’ tools against them. Ransomware attacks often encrypt your drives and servers; you can do the same thing. Many online services offer encryption for email and data storage. To ensure it’s truly protected, make sure it is end-to-end encryption, both at rest and in transit.
Passwords and multi-factor authentication. Access security is three-pronged: Something you know (your password), something you are (a biometric like a fingerprint or retinal scan), and something you have (like a phone or key fob). When I conduct BizSafe reviews, executives routlinely demand that I not “waste” time on passwords because “everybody knows that.” I can guarantee you, everyone does not. In your business, enforce strong password requirements. Current theory says length over complexity (12 characters+), and promotes passphrases rather than random character generation. Implement 2-Factor Authentication on any system or service that offers it. Requiring a code sent to a user’s phone, or a random number generated by a key fob effectively covers the “something you have” protocol.
Employees. Hardware and software can catch a lot. If you buy top shelf, manage and monitor it vigorously, you will likely stop 90 percent of malware, phishing and other attacks. The other 10 percent can only be stopped by the humanware - authenticated employees or vendors. The hacker only has to be right once. Without engaging employees, there’s a big hole in your safety net, one that is the primary and often successful target for cybercriminals. Training, reviewing, reporting and developing a business culture that talks about security and rewards employees for being the most important line of defense, is the only way you can really stop hackers in their tracks.
Visit the National Cyber Security Alliance site to learn more about how to protect your business, find resources (including a template on how to build a cybersecurity plan), and download tools to help you start building a cybersecurity culture in your business.